Jump to content

Funny: MS Vista Exploit Allows Myspace Sites to Control Your


DLSS
 Share

Recommended Posts

Actually, this is hilarious. Microsoft has spent the last 5 years trying to secure their operating system and on the first day it goes on the market, someone figures out the easiest security hole ever.

Even Jon Stewart, after asking Bill Gates what the F12 key does on the Daily Show last night, knew enough to ask Gates about the security issue. And according to an NPR broadcast I heard recently, it's a big deal for the company and the stockholders - one guest even speculated that if Vista proves to be no better than XP, MS could take a severe hit.

And now, it turns out, even Jon Stewart may be able to hack Vista.

Turns out, because Vista has its new HAL900 like voice command system, anyone with a Myspace page can trigger that command (if it's running) with an audio file set to start when the visitor clicks. This exploit was tested by ZD Net's George Ou.

I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu. I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked! Anyone that's ever visited MySpace knows how many annoying webpages out there that will start blasting loud MP3 music as soon as they enter the page.

So, while this is not the same as an exploit that will allow a remote hacker to run code, Ou points out that being able to remotely launch commands is still a serious problem.

There are some mitigating factors but there is no doubt this is still a serious exploit. Most people won't have Vista speech commands configured and enabled but if they do, the speech command control console will automatically load with the operating system and park itself on the top of the desktop waiting for audio commands. The other mitigating factor is that if you visit a webpage and it starts barking out slow and loud Vista speech commands, it will be rather obvious to most people that something is very wrong. But it's still possible that a webpage might delay the sound playback and hope that the user is not around to stop the exploit.

So watch out for songs scurrilously titled, "Shut Down" or "Restart" on iTunes. XD

(source : www.dailykos.com)

more info -> http://blogs.zdnet.com/Ou/?p=416

Link to comment
Share on other sites

  • 2 weeks later...

A friend of mine was adiment on getting a copy of vista for his new £900 laptop as soon as it came out.

He didn't need it for any thing specifically, so I managed to convince him to wait until service pack 1 is released. The jokes about how people would sneak up behind him and yell "SHUTDOWN" at his laptop are never ending :D

Link to comment
Share on other sites

lol thats pretty kool, at my skool (tershary education) there ate tons of users using laptops, i can just imagin in the near future, sitting in a lecture hall, and the instructed mentions shutdown in his speach, and u just see all these laptops casscadingly shutdown in front of you :P

Link to comment
Share on other sites

lol thats pretty kool, at my skool (tershary education) there ate tons of users using laptops, i can just imagin in the near future, sitting in a lecture hall, and the instructed mentions shutdown in his speach, and u just see all these laptops casscadingly shutdown in front of you :P

lol hey, that'd look kinda cool in the dark huh? :lol:

Link to comment
Share on other sites

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer" :lol:

Link to comment
Share on other sites

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer" :lol:

XD <3 sparda

Link to comment
Share on other sites

"Open documents folder", "Select all", "Delete", "Yes", "empty recycle bin" yep, very hard :P

There is of course also: "open Word", "font size 100", "You are a total fucking loser for using myspace", "file, print", "100 copies", "print", "lock computer" :lol:

Well that's not exactly taking control of it, and it would probably be hard to get all those commands to execute properly. And the user would have plenty of time to close the site.
Link to comment
Share on other sites

  • 3 weeks later...

I haven't used speech recognition in yeaaars, but I distinctly remember that you could mutter any old garbage into the microphone, and the software would attempt to make some sense of it.

If windows Vista has the same "go get 'em" attitude to speech recognition...perhaps you could find away to fool it into executing commands, hidden/modulated inside of incomprehensible gibberish or noise :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...